Merge pull request #31019 from teto/strongswan_rebased

[RFC/RDY] make l2tp work with Strongswan
2025-07-13 13:40:28 +03:00 · 2018-03-03 15:56:05 +00:00 · 2018-03-03 15:56:05 +00:00 · 9936ed4920
commit 9936ed4920
parent ce82ae17a9 fe4f4de1c9
4 changed files with 28 additions and 4 deletions
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -335,6 +335,7 @@ in {

      preStart = ''
        mkdir -m 700 -p /etc/NetworkManager/system-connections
+        mkdir -m 700 -p /etc/ipsec.d
        mkdir -m 755 -p ${stateDirs}
      '';
    };
--- a/nixos/modules/services/networking/strongswan.nix
+++ b/nixos/modules/services/networking/strongswan.nix
@ -32,13 +32,13 @@ let
      ${caConf}
    '';

-  strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
+  strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
    charon {
      ${if managePlugins then "load_modular = no" else ""}
      ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""}
      plugins {
        stroke {
-          secrets_file = ${ipsecSecrets secrets}
+          secrets_file = ${secretsFile}
        }
      }
    }
@ -135,7 +135,18 @@ in
    };
  };

-  config = with cfg; mkIf enable {
+
+  config = with cfg;
+  let
+    secretsFile = ipsecSecrets cfg.secrets;
+  in
+  mkIf enable
+    {
+
+    # here we should use the default strongswan ipsec.secrets and
+    # append to it (default one is empty so not a pb for now)
+    environment.etc."ipsec.secrets".source = secretsFile;
+
    systemd.services.strongswan = {
      description = "strongSwan IPSec Service";
      wantedBy = [ "multi-user.target" ];
@ -143,11 +154,15 @@ in
      wants = [ "keys.target" ];
      after = [ "network-online.target" "keys.target" ];
      environment = {
-        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; };
+        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
      };
      serviceConfig = {
        ExecStart  = "${pkgs.strongswan}/sbin/ipsec start --nofork";
      };
+      preStart = ''
+        # with 'nopeerdns' setting, ppp writes into this folder
+        mkdir -m 700 -p /etc/ppp
+      '';
    };
  };
 }